[co-author: Lucy Ward]
UK Government set to move forwards with regulation on consumer IoT device security
The UK Government has just announced that it intends to draw up legislation aimed at ensuring that all consumer smart devices sold in the UK adhere to rigorous security requirements for the Internet of Things (“IoT“).
Over the last couple of years, the Government has been considering the need to develop a robust regulatory framework governing the cybersecurity of consumer IoT devices, to ensure that these devices are sufficiently secure from cyber-threats.
What will the new legislation look like?
The Government has indicated that the new legislation will focus on three key security requirements for the manufacture and sale of IoT devices:
- All consumer IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of consumer IoT devices must provide a public point of contact so that anyone can report a flaw or vulnerability, and these reports are to be acted on in a timely manner.
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which devices will receive security updates at the point of sale (both online and in stores).
What does this mean for businesses?
- The Government aims to deliver the legislation “as soon as possible” though it is currently unclear how this legislation will reflect the three key security requirements.
- It is likely to come as a relief that the Government has decided against launching a security labelling scheme at this time, recognising the potential disruption to businesses caused by affixing a label to physical products.
- The Government plans to conduct further stakeholder engagement in order to refine its regulatory proposals, and determine the most appropriate way for businesses to communicate important security information to consumers.
What next?
The Government has promised a “staged approach” to regulation, which will include:
- Inviting further stakeholder feedback to develop the regulatory proposals.
- Providing businesses with sufficient time to implement the proposals effectively and sustainably.
- Publishing a final stage regulatory impact assessment later in 2020, which we expect will shed further light on the regulatory proposals.
We are monitoring relevant updates in this area and encourage manufacturers to keep an eye on further invitations from the Government for stakeholder engagement, as their proposals develop.
You can find further information on the Government’s proposals here.
[View source.]
